Docstoc

COMPUTER SECURITY

Document Sample
COMPUTER SECURITY Powered By Docstoc
					NETWORKS
Fall 2010
            1
REVIEW – LAST LECTURE


    Computer    Crimes

    Social   Engineering

    Network    Scanning

                            2
REVIEW - SOCIAL ENGINEERING
        The most common type of attack

        Basically: lying to someone to gain information on how to
         penetrate the network or systems

        Preys upon basic tendency in a company to trust other
         company personnel and believe what they are told over a
         phone or e-mail

        No detailed technical skills required - but must be creditable,
         knowledgeable of the organization and of methods and
         procedures to gain access
         |
        Easiest place to attack: users and support desk

                                                                           3
REVIEW - FOOTPRINTING

      Before a hacker attempts to gain access to a
       system, time must be spent gathering information
       about the target.
      This process is known as footprinting
          it is a critical step in subverting the security of a target
           system
          Footprinting is the hacking equivalent to casing a
           potential robbery location.
          Systematic footprinting allows the hacker to create a
           complete profile of the target system including information
           about the domain, network blocks, IP addresses exposed
           on the Internet, and system architecture.
          Once the profile is known, a hacker will be able to focus on
           specific machines and ports to gain access to the
           system.
                                                                          4
OUTLINE

       Computer      Crimes

       Ping   Sweep

       Port   Scan


                               5
Computer Crimes



                  6
CRIMES 1

   Traci Southerland has been sentenced to 13 years
    in prison for stealing personal information from the
    Hamilton County (OH) Clerk of Courts' website and
    using it to commit identity fraud.
     Southerland and seven others used the stolen
      information to commit credit card and check fraud,
      netting them US$500,000.
     The county clerk's website now blocks access to
      documents that hold personally identifiable
      information.

                                                           7
CRIMES 2
   Six people have been indicted on fraud charges for their involvement in a
    phishing scam that tried to gather credit card and bank account numbers
    from AOL users.
        The individuals allegedly gathered thousands of AOL email addresses and sent
         maliciously crafted ecards that downloaded software that prevented the users
         from logging on to AOL without providing credit card or bank account
         information.
        The cyber thieves allegedly used the stolen financial account information to buy
         computers, gift cards and gaming consoles.
        Three of the men have already pleaded guilty and face between two and nine-
         and-a-half years in prison when they are sentenced in December. The other
         three people have not yet been arraigned.




                                                                                            8
CRIMES 3
   A contract worker at the Stevens Hospital
    emergency room in Edmonds, Washington stole
    patients' credit card numbers and gave the
    information to her brother who used it to buy
    thousands of dollars worth of goods over the
    Internet.
     Yvon Hennings pleaded guilty to conspiracy to commit
      access device fraud and wire fraud. She will be
      sentenced in November and her brother's trial is slated
      to begin in January 2007.
     The data breach affected patients who visited the
      emergency room between December 2003 and January
      2005.


                                                            9
Ping Sweep


             10
PING SWEEPING
      The first step in scanning is to determine which IP addresses
       in the network block are machines that are live hosts.
           This process can be done using the Internet Control Message
            Protocol (ICMP).
           ICMP was designed as a simple protocol to report network error
            conditions and supply basic network information.
           Unfortunately, ICMP can be used by hackers for network
            reconnaissance.

      ICMP is a particularly good protocol for identifying active IP
       addresses.
           Unlike the Transmission Control Protocol (TCP) and User Datagram
            Protocol (UDP), ICMP does not connect to a particular service on a
            given host, but rather attempts to contact the host operating system.
           Knowing the IP address of a host is enough to determine if the host is
            alive
           simply send it an ICMP echo request, a ping, and if it responds, you
            know the machine is alive.
           using ICMP to determine live hosts on a network is often termed ping
            sweeping

                                                                                     11
    EXAMPLE

   The whois on plu found the network IP address range
    from 152.117.0.0 to 152.117.255.255
        How many of those addresses are actually used?
        Find out by sending a ping to each one




                ping 152.117.0.1

                ping 152.117.0.2

                ping 152.117.0.3
                ...                                       This could take a lot of time


                                                                                          12
    PING RUN
   Example of a successful ping:




   Example of an unsuccessful ping:




                                       13
USE NMAP
         The ping sweep can be automated using
          nmap
         The command is:
               nmap -sP 152.117.0.0/29
          This is a particularly noisy scan that can be
          detected by an IDS that looks for a
          threshold amount of ICMP echo requests
          originating from the same location over a
          given amount of time.
             Most IDS.s are capable of detecting this type of
              scan, so it is not often used in practice



                                                                 14
EXAMPLE RUN
   Using NMapWin (available from www.insecure.org) 3
    systems at PLU were up and running:




                                                        15
WORK AROUND 1
      If a hacker can limit the amount of echo requests issued, it
       may be possible to not trigger an IDS alarm because the
       threshold amount of ICMP requests will not be exceeded.
          By issuing ICMP echo requests to known broadcast
           addresses, the number of pings can be kept to a
           minimum.
          For example, addresses with 0 and 255 for the last
           byte are reserved and are typically used as broadcast
           addresses to send a message to all addresses in the
           network.
          Therefore, a clever hacker will send ICMP echo
           requests to the 0 and 255 addresses for a given block
           and potentially get back 254 echo replies.
          This is much more efficient and stealthy than a scan
           that sends individual requests to all 254 potentially
           active machines


                                                                      16
WORKAROUND 2

       Another way to avoid easy detection is to
        use a non-echo ICMP request
         Such as a timestamp request
         Or a address mask request


       A useful tool is icmpush which will set up
        and set an icmp request
           For example:                         RESULT:
                                                The site is
                 icmpush -tstamp 192.168.5.5      on-line

                 kenny.sys-security.com -> 13:48:07

                                                         17
Port Scan

            18
PROGRESS
   From the whois and the ping sweep we know that
    plu has at least 3 hosts available:
     shemp.cs.plu.edu (152.117.6.1)
     antfarm.cs.plu.edu (152.117.6.3)
     mem105cam.cs.plu.edu (152.117.6.6)


   Now we want to find out what services are
    available in the form of which ports are open
       Remember: ports represent common services on a
        system such as ftp on port 21 and the web on port 80



                                                               19
PORT SCAN METHODS

       Port scanning can be subdivided in three groups: horizontal,
        vertical, and block scans
            A horizontal scan is a scan that queries a specific port on
             numerous machines.
                  This is used when an exploit is known for a particular service and
                  the hacker wants to know what machines are running this vulnerable
                  service. An example would be scanning for the notoriously
                  vulnerable ftp on port 21.
            a vertical scan will be used in which all the ports on a given host
             are queried.
                 For example, if a hacker wants to alter the content of the CS web
                  site, all ports on the web server 152.117.6.1 would be scanned.
             a block scan is a combination of a vertical and horizontal
             scan.
                 A block scan can determine the same information as an ICMP ping
                  sweep (i.e., what machines are active in the network block), with
                  the added benefit of determining the services running on the
                  active hosts.
                                                                                        20
PORT SCAN TYPES
         No matter which method is selected there
          are several ways to go about scanning
          ports on a system

         Four common methods are:
             TCP SYN scan
             Stealth scan
             FTP bounce scan
             UDP scan


                                                     21
TCP/SYN SCAN 1

          To establish a TCP connection between a
           source and a system port, two parties
           execute a 3-way handshake


                       1   SYN Packet
                       2   SYN/ACK
                       3   OK


              Of course, the ACK is only
              returned if the port is open

                                                     22
TCP/SYN SCAN 2
         A connectionless SYN scan can be performed using nmap –sS.
              This scan sends a message with a SYN in the TCP header but does not
               reply to the host’s return message.
              Because the client never replies to the host’s return message, a
               full connection is never established and the half connection will not be
               logged.

         Result
              If the host port is open, a message with the SYN and ACK flags
               will be returned.
              If the host port is closed, a message with the RESET flag will be
               returned.
              If a host is contacted that is not alive, a border router will likely
               respond with a host unreachable message.
              If the network is configured to not respond with ICMP host
               unreachable messages, there will be no reply when attempting to
               scan an inactive host.
              If the port is firewalled, there will also be no response.
              Thus, the hacker must attempt to differentiate between an inactive
               host and a firewalled port based on other data obtained in the
               scan


                                                                                          23
TCP/SYN SCAN 3
        Results of a SYN scan of shemp:




                                           24
STEALTH SCAN
         Filtering and other security systems such as firewalls
          will usually pick up on SYN packets sent to sensitive
          ports
              Programs are also available to log half-open SYN scan
               attempts
              However, probe packets with strange TCP flags set can
               sometimes pass through filters undetected

         A stealth scan uses an unusual flag combination
          which only closed ports respond to with a reset, these
          include:
              A FIN probe with the FIN TCP flag set
              A XMAS probe with all the flags set
              A NULL probe with no flags set
              An ACK probe




                                                                       25
   XMAS SCAN EXAMPLE
              Result of an XMAS scan of shemp:




Notice how many
ports are open




                                                  26
FTP BOUNCE SCAN 1
        An known problem in older ftp servers involves:
           An attacker connects to an FTP server, which
            has a world writable directory, and
            establishes a control communication
            connection.
           The attacker can then ask the FTP server to
            initiate an active server data transfer process
            and send a file anywhere on the Internet,
            presumably to a user data transfer process.
           This can be exploited to scan behind a firewall
              connect to an FTP server behind a firewall
              then try to scan ports that the firewall blocks.
              If a directory is writable for the account you are
               using on the FTP server, you can also send data to
               the ports you find open



                                                                    27
   FTP BOUNCE SCAN 2
                     The process looks like:



                                                                              Target
      Attacker


Send a PORT command
to the ftp server telling it
to connect a specific port
of the target machine
                                                           ftp Server     The port is
Follow that with a LIST        There will be one of two responses:          open
command                               150 Opening ASCII mode data connection for file list   The port is
                                      226 Transfer complete
                                                                                               closed
                                      425 Can’t build data connection: Connection refused
                                                                                               28
UDP SCAN

       UDP port scanning is extremely slow.

       Nmap will try to send a 0-byte datagram
        and mark the port as open unless a ICMP
        Destination Unreachable packet is
        received back.

       Does not require root privileges to scan.


                                                    29

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:10/8/2011
language:English
pages:29